Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Analysis of Searchable Encryption


Published on

Searchable Encryption remain to be one of the most widely required functionality of cloud storage. In this paper, we provide a security analysis of the popular schemes including the study of their implementation and security definitions. We cover Order Preserving Symmetric Encryption, Order Revealing Encryption and Partial Order Preserving Encoding.

Published in: Engineering
  • I’ve personally never heard of companies who can produce a paper for you until word got around among my college groupmates. My professor asked me to write a research paper based on a field I have no idea about. My research skills are also very poor. So, I thought I’d give it a try. I chose a writer who matched my writing style and fulfilled every requirement I proposed. I turned my paper in and I actually got a good grade. I highly recommend ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here

Analysis of Searchable Encryption

  1. 1. Analysis of Searchable Encryption Schemes Nagendra Posani and Swarnim Vyas December 12, 2016 Abstract Searchable Encryption remain to be one of the most widely required functionality of cloud storage. In this paper, we provide a security analysis of the popular schemes including the study of their implementation and security definitions. We cover Order Preserving Symmetric Encryption, Order Revealing Encryption and Partial Order Preserving Encoding. 1 Introduction With the advent of cloud storage and the need of secure storage, Searchable Encryption has become a topic of great interest. There have been multiple attempts to strike balance between the efficient functionality and security which are trade off of each other. With the paper of [ABO09], many avenues for research in the same area opened up. There have been multiple attempts to define a single notion of security for such schemes which can capture the message security as standard notions like IND-CCA and IND-CPA. IND-DCPA and IND-OCPA are discussed in this paper and which schemes are secure under this security notion. We also discuss the POPF security notion of OPE schemes described by [ABO]. We define Order Revealing Encryption [DBZ] and its latest improvement [KL] which is IND-OCPA. We also discuss Partial Order Preserving Encoding [DSRY] which keeps its data encrypted by strong symmetric encryption schemes and learn about the order of the ciphertext dynamically when a range query is made by the user. Finally, we provide a basic landscape of the schemes between functionality and security. 2 Schemes and Security Notions 2.1 Randomized Encryption To securely save data on the cloud, we can encrypt the data using any good IND-CPA symmetric encryption. Such encryption schemes are randomized. The search query, on the encrypted data under this scheme, will result into server iterate the whole encrypted data to find a match and then return. This is so because the data is randomized and no information about message is leaked through the cipher text which can be harnessed to expedite the response to the search query. Scheme is IND-CPA secure. This scheme is secure but faces with poor efficiency of the search functionality. A linear search needs to be done whenever a query comes to the server. This may lead to poor performance and RTT for the query. Thus, as mentioned above the trade off between security and efficiency of functionality strikes. 2.2 Order Preserving Encryption In the scheme mentioned in section 2.1, we use IND-CPA secure encryption. This implies that the cipher text is totally randomized and thus we lose out in efficiency of search functionality. In case to provide better efficiency and search functionality, usage of deterministic scheme was suggested by [ABO09]- Order Preserving Encryption. In this scheme, the encryption maintains the order of message in the cipher text as well. For example, if m1 < m2 then Encryption(m1)<Encryption(m2). This scheme enhances the search functionality and the performance is as shown in the figure-1 better than the linear search. Formally, For A, B ⊆ N with | A | ≤| B |, a function f : A → B is order preserving (aka. strictly-increasing) if for all i, j ∈ A, f(i) > f(j) if and only if i > j. We say deterministic encryption scheme SE = (K, Enc, Dec) with plaintext and ciphertext-spaces D, R is order preserving if Enc(K,. ) is an order-preserving function from D to R for all K(keys) output by Key generation algorithm K ( with elements of D, R interpreted as numbers, encoded as strings). Unless otherwise stated, we assume the plaintext-space is [M] and the ciphertext-space is [N] for some N ≥ M ∈ N. 2.3 IND - DCPA and IND - OCPA We know that no deterministic scheme is IND-CPA secure therefore when using a deterministic encryption as mentioned in section-2.2 we need to come up with a new security notion. IND - DCPA (Indistinguishability under 1
  2. 2. (a) Order Preserving Encryption (OPE) (b) OPE revealing the length. Figure 1: OPE & Security Distinct Chosen Plaintext Attack) [MB] restricts the adversary to make only distinct queries on either side of oracle. As deterministic scheme leaks plaintext equality without this restriction the scheme would succumb to a trivial attack. Formally, supposing A makes queries (m1 0, m1 1), ....., (mq 0, mq 1) they require that m1 b, ...., mq b are all distinct for b ∈ 0, 1. IND - OCPA (Indistinguishability under Ordered Chosen Plaintext Attack) is a generalized form of IND - DCPA. It adds that except the order of the plaintext nothing else is revealed to the adversary by the ciphertexts. Formally, it also requires that all the queries made by Adversary A also satisfy the condition that mi 0 < mj 0 iff mi 1 < mj 1 for all 1 ≤ i, j ≤ q. 2.4 Is OPE IND-Ordered CPA? Unfortunately, OPE is not IND-Ordered CPA as apart from the order of the message it also leaks information about the distance between them. Say m2 = m1 + 10 then Encryption(m1) and Encryption(m2) would give the adversary an idea how far are the messages m1 and m2. [ABO09] paper claims that IND-OCPA is unachievable by a practical order-preserving encryption scheme. Precisely speaking an OPE scheme cannot be IND-OCPA unless its ciphertext-space is extremely large (exponential in the size of the plaintext-space). 2.5 OPE - POPF & Window One Wayness In particular, [ABO] paper shows that, for a database of randomly distributed plaintexts and appropriate choice of parameters, ROPF encryption leaks neither the precise value of any plaintext nor the precise distance between any two of them. Informally, the POPF notion calls an OPE scheme secure if oracle access to its encryption algorithm is indistinguishable from that to a random order-preserving function (ROPF), i.e., a random element of the set of all strictly-increasing functions on the same domain and range. This is a rather straight forward adaptation of the classical notion of pseudorandom function (PRF), which asks that oracle access to a function be indistinguishable from that to a truly random function on the same domain and range - to the order-preserving context, and it captures some intuition of what should be the "best possible" OPE scheme. However, the POPF definition is somewhat deceiving and confusing in terms of giving an idea of what kind of security it describes. The proof in the paper [ABO] addresses the central concerns of the ROPF ciphertexts, whether they leak locations of plaintexts or distance between plaintexts. For this, [ABO] proposed several varieties of one-wayness like (r, z)−Window One-Wayness and (r, z)−Window Distance One-Wayness. These security notions say that the ROPF is secure for small window of one wayness and insecure for large windows. The paper also gives a lower bound and upper bound for both the scenarios. 2.6 Order Revealing Encryption A secret-key encryption scheme is order-revealing [DBZ] if there is a public procedure that takes two encrypted plaintexts as input and reports their lexicographic ordering. This procedure, which we call the order-revealing algorithm, requires no secrets and can be evaluated by anyone. More precisely, an order-revealing scheme is a tuple (G, E, D) of algorithms. Algorithm G outputs a pair (sk, comp) where sk is a secret encryption key and comp(., .) is an efficient deterministic algorithm that takes two ciphertexts as input and outputs either ‘<’ or ‘>’. The [DBZ] construction of ORE begins with a simple automaton for the comparison function on two inputs that they represent as a low-width matrix branching program. They encrypt ciphertexts in a way such that given two independently- created ciphertexts, anyone can run the comparison branching program to reveal the relative 2
  3. 3. Figure 2: ORE Encryption: New Construction 1 ordering of the corresponding plaintexts. But this scheme suffers from inference attacks and reveals almost all of the plaintext information with auxiliary data [FBD], so there are new constructions proposed to overcome these attacks. 2.7 New Construction in Order Revealing Encryption New construction of ORE as stated in the paper [KL] extends small domain ORE with best possible security to large domain ORE with partial leakage using domain extension technique inspired by [NCW] 2.7.1 Small Domain ORE It considers the message space to be small say {1, 2, 3, ...., N} and associate each value with a key thus requiring generation & usage of N keys in total. These N keys (k1, k2, ...., kn) can be generated from PRF. Now each value i is encrypted in a way that that all positions ≤ i have value 1 and all positions > i have value 0. Now when encrypting message i each bit is encrypted by a key. First bit by k1 second by k2 and so on Nth bit by kN . Whenever a query is done by the user, to allow comparison the ki has to be given to the server with the query. But this reveals the value i itself. To avoid this revealing of value i instead of encrypting first bit by k1 , second by k2 and so on, the encryption of first bit is done by kπ(1), second by kπ(2) and so on Nth bit by kπ(N), where π is a random permutation. This doesn’t reveal i when querying a comparison with i. As we do not send ki rather send kπ(i) thus server learns nothing about the value. 2.7.2 Extending Small Domain ORE The basic idea is to decompose message into smaller blocks and apply small domain ORE to each block. Now each chunk’s keys are derived from the prefix block. The overall leakage is first block that differs. Practical ORE mentioned in the above section-2.6 leaks the first differing bit whereas this scheme leaks the first differing block but overall provides better security under the overall landscape. 2.8 Partial Order Preserving Encoding In [DSRY] described a new OPE scheme called Partial Order Preserving Encoding(POPE). This is an application specific encoding which can provide better performance in big data scenario where there are many insertions and few range queries. Typical ’strong’ randomized encryption are used here and data is encrypted and stored by such best symmetric cipher. Server stores a partially ordered B-Tree. Whenever an insertion takes place, the cipher text on that message is calculated and saved without maintaining any order. User maintains a buffer size (l) with it. Whenever a range query is done by the user, the server returns the whole storage if the buffer size is greater than the data at the server. Else, if the storage is greater than the buffer size of the user, the Server promotes m random items and sends to client. Client sorts, stores, and remembers the m items and sends them back to the server. Client then partitions the remaining items and after processing, the result to the query is returned. The figures-3 gives sequential flow of the scheme. Post this further insertions are done and whenever a range query is received, the same process is followed but on the partial B-tree. Thus slowing knowing the order of the ciphertext with each query and not otherwise. The average cost per operation is O(1), and the worst-case round complexity per operation is O(1), assuming: 1) n insertions 2) Reasonable Client side temporary storage - L ∈ Ω(nO(1) ) 3) Not too many range queries m ≤ n ÷ L 1Images are taken from David Wu’s presentation on ORE in CCS-16 Conference. 2Images are taken from Daniel S. Roche’s presentation on POPE in CCS-16 Conference 3
  4. 4. (a) Client makes a range query (b) Server returns random m values to the client (c) Clients returns the sorted m values back to the server (d) Client partitions the remaining items by answering to the queries by the server (e) After the processing the result to range query is returned Figure 3: POPE 2 4
  5. 5. Figure 4: Overall Landscape 3 3 Conclusion The selection of any deterministic scheme should be done with precaution. The notions described and proven in the discussed papers should be properly understood before using these schemes in your application. Also, the selection is highly dependent on the application and the tasks it has to perform. For Example, a application dealing in big data where large number of insertions take place and few queries are done, POPE can be deployed. However, application demanding large number of queries the performance would deteriorate on use of POPE as it would require lot of interaction with the Client and would increase overall round trip time of the results of the query. OPE leaks some information about underlying data and therefore practitioners should carefully evaluate the security and functionality achieved when using OPE. Also in case of public key cryptography, OPE is susceptible to brute force attack using binary search. Therefore, the choice of scheme should be evaluated on the basis of trade off between efficient functionality and the security it provides. The security of the scheme should be well understood before using. The nature of the application for which it is being used should also be considered. There is no single silver bullet scheme solving all our problems in world of Searchable Encryption. There is need of continuous research and rigorous testing in real-life type scenarios before deploying these schemes for widespread usage. In todays scenario, ORE has been implemented by CipherCloud and SkyHigh, has been prototyped by Google and Microsoft and used in academic projects like CryptDB [FBD]. References [ABO] Nathan Chenette Alexandra Boldyreva and Adam O’Neill. Order-preserving encryption revisited: Im- proved security analysis and alternative solution. CRYPTO. [ABO09] Younho Lee Alexandra Boldyreva, Nathan Chenette and Adam O’Neill. Order-preserving symmetric encryption. EUROCRYPT, page 224–241, 2009. [DBZ] Mariana Raykova Amit Sahai Mark Zhandry Dan Boneh, Kevin Lewi and Joe Zimmerman. Semanti- cally secure order-revealing encryption: Multi-input functional encryption without obfuscation. EURO- CRYPT. [DSRY] Seung Geol Choi Daniel S. Roche, Daniel Apon and Arkady Yerukhimovich. Pope: Partial order pre- serving encoding. ACM CCS. [FBD] David Cash F. Betül Durak, Thomas M. DuBuisson. What else is revealed by order-revealing encryption? ACM CCS. [KL] David J. Wu Kevin Lewi. Order-revealing encryption: New constructions, applications, and lower bounds. ACM CCS. 3Images are taken from Daniel S. Roche’s presentation on POPE in CCS-16 Conference 5
  6. 6. [MB] C. Namprempre M. Bellare, T. Kohno. Authenticated encryption in ssh: provably xing the ssh binary packet protocol. ACM CCS. [NCW] Stephen A. Weis Nathan Chenette, Kevin Lewi and David J. Wu. Practical order- revealing encryption with limited leakage. FSE. 6